The field of security information and event management (SIEM) is generally concerned with collecting data from networks and networked devices that reflects network activity and/or operation of the devices, and analyzing the data to enhance security. For example, the data can be analyzed to identify an attack on the network or a networked device and determine which user or machine is responsible. If the attack is ongoing, a countermeasure can be performed to thwart the attack or mitigate the damage caused by the attack. The data that is collected usually originates in a message (such as an event, alert, or alarm) or an entry in a log file, which is generated by a networked device. Exemplary networked devices include firewalls, intrusion detection systems, and servers.
One problem with SIEM services concerns the amount and rate at which event records created. Typically, a maximum EPS rate is set by a total licensed EPS (events per second) rate. But certain security events can cause a surge in event records, for example, if each instance of a denial of service attack is reported. As a result, a single network device can max out the licensed EPS rate if uncontrolled. Equally critical events at other network device may be ignored to remain below the licensed EPS rate.
Therefore, what is needed is a robust EPS allocation technique to respond to surges with dynamic reallocation of EPS rates to individual components.